CVE-2022-36099 is a vulnerability in the XWiki Platform, specifically affecting the Wiki UI Main Wiki component. XWiki is a generic wiki platform widely used for collaborative content management and documentation. The vulnerability arises from improper neutralization of directives in dynamically evaluated code, classified under CWE-95 (Eval Injection) and CWE-94 (Code Injection). It affects versions starting from 5.3-milestone-2 up to but not including 13.10.6, and versions from 14.0 up to but not including 14.4. The core issue is that an attacker with view access to the `XWikiServerClassSheet` and another page saved with programming rights can inject arbitrary wiki syntax, including Groovy, Python, and Velocity script macros, via URL parameters. This injection enables arbitrary code execution within the wiki environment, effectively bypassing all rights checks. Consequently, an attacker can modify or disclose all content stored in the XWiki installation and potentially disrupt the availability of the wiki service. The vulnerability is particularly critical because it leverages legitimate features (programming rights and view access) to escalate privileges and execute code remotely without authentication barriers beyond the initial access. The issue has been patched in versions 13.10.6 and 14.4. Workarounds include manually editing the affected `XWiki.XWikiServerClassSheet` or `WikiManager.XWikiServerClassSheet` documents to apply the patch changes or importing the fixed document from version 14.4 for installations running version 12.0 or later. No known exploits are currently reported in the wild, but the potential impact remains significant due to the nature of the vulnerability and the widespread use of XWiki in enterprise environments.

For European organizations, this vulnerability poses a substantial risk to confidentiality, integrity, and availability of information managed within XWiki installations. Many enterprises, government agencies, and research institutions in Europe rely on XWiki for internal documentation, knowledge sharing, and collaboration. Exploitation could lead to unauthorized disclosure of sensitive or proprietary information, unauthorized modification of critical documentation, and disruption of business operations due to service unavailability. The ability to execute arbitrary code also opens the door to further lateral movement within the network, potentially compromising other systems. Public-facing or read-only XWiki installations are particularly vulnerable since attackers only need view access and a page with programming rights to exploit the flaw. Given the collaborative nature of XWiki, the risk of insider threats or compromised user accounts amplifies the threat. The absence of known exploits in the wild suggests organizations still have an opportunity to patch and mitigate before widespread attacks occur. However, the medium severity rating should not downplay the potential for significant operational and reputational damage if left unaddressed.

1. Immediate upgrade of all affected XWiki Platform instances to version 13.10.6 or 14.4 or later to apply the official patch. 2. If upgrading is not immediately feasible, manually edit the `XWiki.XWikiServerClassSheet` or `WikiManager.XWikiServerClassSheet` documents to incorporate the patch changes as recommended by the vendor. 3. For versions 12.0 and later, use the import feature in the administration application to import the fixed `XWiki.XWikiServerClassSheet` document from version 14.4. 4. Review and restrict programming rights assignments to the minimum necessary users and pages, limiting the attack surface. 5. Audit and monitor access logs for unusual URL parameter usage or access patterns that may indicate exploitation attempts. 6. Implement network segmentation and access controls to limit exposure of XWiki installations, especially those accessible publicly or to large user bases. 7. Educate users about the risks of granting programming rights and enforce strict change management policies for pages with elevated privileges. 8. Regularly back up XWiki content and configurations to enable rapid recovery in case of compromise or data tampering. 9. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious script injection attempts targeting the vulnerable parameters.